Analysis
-
max time kernel
103s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
14/05/2025, 18:55
Behavioral task
behavioral1
Sample
stub.exe
Resource
win10v2004-20250502-en
General
-
Target
stub.exe
-
Size
41KB
-
MD5
fe5b18fb8ffd1bafb3883bf5d3fb33db
-
SHA1
d0888345fd3aa400fc8b22cb4dcd30de55929263
-
SHA256
3e6a1f26ea0c52f493b48f45556b77584e36d647b18499ac734e11394cfd6f71
-
SHA512
284376f1662894bdc438cd5d8328be38e67836f0e9d8fb389cdfaf16abc622191413d83e39f17826f95241813eba6acc2561e3152474f87fff3acf55b91c73c9
-
SSDEEP
768:+scGoA2e8jy5M/BgwZuZHesWTjgcXKZKfgm3EhUM:Nc9e8HMesWTsiF7EmM
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/860365364616364055/dWA-5PDcq6nC-drvVUSEcFKm1x7ZFbbUGmmbCWN8YHcHo6Fx_r0b9o2rP45QpRZwNO49
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Mercurialgrabber family
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 37 discord.com 38 discord.com 40 discord.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 ip4.seeip.org 35 ip-api.com -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString stub.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 stub.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2672 stub.exe